Maybe We Should Redefine the Purpose of Internal Auditing

This morning, I was replying to a comment in LinkedIn's Chief Audit Executive's group (those interested in internal auditing should be members of the IIA group, and those in IA management should be in the CAE group) when it struck me that a redefinition of internal auditing might be useful.

You will remember that the IIA IPPF definition asks that we provide assurance and consulting services related to governance, risk management, and the related controls (my version of the wording). But what does this really mean?

Perhaps, instead of talking about three different but related sets of processes, we should be talking about what they represent when taken together.

I believe we have to tell our stakeholders whether the organization's processes and practices provide reasonable assurance that the organization's goals and strategies will be achieved. Those processes and practices include the management of risks to objectives and rely on appropriate controls. Compliance is included because failure to comply is a risk to the achievement of objectives.

After all, how do we assess whether governance, risk management, and related controls are 'adequate' unless it is within the context of achieving strategies, goals, and objectives?

Isn't this what we are really supposed to do? If not now, shouldn't we be moving to do this?

I would love to hear your views. 

Posted on Jun 10, 2011 by Norman Marks

Share This Article:    

  1.  Just to clarify, based on feedback: is that I am suggesting that providing assurance on the three legs is not  as valuable as providing assurance on the stool.


    Norman, you nearly gave me a heart attack with your heading!

    The purpose of internal auditing itself therefore does not need changing. The definition states it as – “It (internal auditing) helps an organization accomplish its objectives”.

    I do feel however that the definition of internal auditing phrase "designed to add value and improve an organisation's operations"  takes some focus away from the fundamental purpose and it would help a great deal if it were not there.


  1.  I think I will retire before I am prepared to offer an opinion on stool(s).  My brother is a doctor and that is best left to his profession.

  1. It would be great to have Internal Audit provide more value to the organization than just prepare for audits, it would make the job much more interesting and allow internal audit to improve the company's processes.
  1.  Maybe we should just leave everything alone and focus on making sure  that internal auditors get the right training so that they can do  their jobs and stop trying to reinvent the wheel. Internal audit's responsibilities are clear and  they are not executing these responsibilities. Deal with the problem before we move forward in other areas

  1. Norman,

    I absolutely agree with your premise, and disagree with parts of the responding comments here. There is tremendous value to be mined for Governance, and it really fits best within the scope of IA. The current IA definition is our ideal as it stands, including the parts about us adding value. However, there are a couple traditions within IA that blind us to the value of the Stool.
    Value - Governance needs nothing more than to understand it strategic direction, the strength of its operations and the threats that may prevent it from getting there. This is the simple information that they need to make risk appetite decisions. However, management has incentive to present the most positive picture. Compliance presents the most dour threats from non-compliance, Legal presents legal risks, and IA has historically commented on the accuracy of process level controls, largely around financial processes. Yet this is only a small part of the information Governance needs. Who helps governance understand if accountability for objective achievement has been effectively assigned? How does governance know if management has responded to their objectives by putting adequate objective oversight functions (management controls) in place? Who tells governance how aligned the people, process and technology are to achieve their most critical objectives? IA should be seeking to answer these questions. We can and should create standard expectations here using managements own standards and then produce comparable reporting for governance. This is how IA achieves the value promised in our definition. However, we have many obstacles that still blind us to this potential. 
  1. IA Blindness - There are several elements of the traditional IA character that prevent us from achieving this value:
    ·         Defining expert as needing to tell management how it is…in reality we should be the expert at measuring them against their own ideal in a standard comparable way valuable to governance
    ·         Defining the threat is the most important part of risk…in reality you cannot apply the understanding of the threat until you understand the vulnerability of the operations in place
    ·         We are not the experts beyond finance and compliance, so we should not audit too far out of those circles…in reality we don’t have to be the experts to tell them how effectively management has responded to any objective in the establishment of management oversight functions and effective alignment of skilled people, processes and technology
    There are significant steps IA still has to take to be in compliance with our own definition. We can not continue to do what we have always done, because more is being expected of governance and if we do not help them achieve it, we will eventually become irrelevant.
    Dan Clayton
  1. Norman:

    I have given the matter of IA's reason for being considerable thought. My conclusion is that much would be achieved if the profession altered its definition to one that focused on the outcome(s) sought not the activities IA currently performs. I believe that IA should focus a large percentage of its resources on achieving the simple end result of:

    Ensure senior management and the board are aware of the significant residual risks being accepted by the organization.

    It is not, in my opinion, IA's job to decide what that residual risk position should be, but it is IA's job to ensure that senior management and the board are aware of significant risks, including significant residual risks in strategy, and have determined that it is consistent with their risk appetite/tolerance.

    Far too many IA departments still think their primary purpose in life is to plan audits, execute audits and report audits. Perhaps this is because they are called "internal auditors". This needs to change to meet the emerging expectations that boards are overseeing their organization's risk management processes. I think IA's new name should be Risk Oversight Support Services. A few visionary departments have already made the change.


  1. Unfortunately, although there are some signs of change, a large percentage of IIA certification and PD is still linked to the notion that IA's primary focus in life is to do audits and report audit results. I believe that external outsourced service providers will exploit the current fundamental deficiency in internal audit services if IA departments don't change themselves.

    Boards of Directors need help now to meet emerging risk oversight expectations. Traditional IA doesn't meet those expectations. IA departments that are unwilling to change are at risk.

  1. Tim, thank you for the comment. May I ask for clarification? Are you suggesting that IA be an independent assessor of risks to organizational success? Would they have to perform independent:

    - risk identification?

    - risk assessment and evaluation?

    - risk monitoring?

    - assessment of the effectiveness of risk responses?

    Or, are they to audit management's risk management processes? I read your comments as saying that auditing management's processes is not enough. The results of those processes should be subject to an independent audit process. Is that correct?

  1.  Tim/Norman:

    On your last  two postings- Tim you are on the mark exactly except that the outsourced service providers will try ot exploit the situation but because they too do not have t he skill sets (the big firms), there is no telling what the Boards will do. One thing is quite clear. The Boards are getting smarter and smarter through new and improved seminars they are attending and because of the new SEC rules. The point is that internal audit will continue to lose credibility instead of gaining credibility. 

    I  think that Tim may be saying (not sure) that internal audit is not providing an overall opinion on the risk management system. Well we know this and this situation exists because the necessary training programs have not been developed for internal auditors to do what it is they need to do.


  1. Norman/Arnold:

    My point is simple: IA should see its primary purpose in life to ensure senior management and the board are aware of the organization's residual risk status. A good start is to provide an opinion on whether the organization's current risk management processes do a reasonable job accomplishing that. If IA's opinion is that the current risk management processes don't do a very good job reporting on residual risk status to senior management and the board, IA needs to attempt to use its limited resources to provide supplemental information on the organization's residual risk status.  This cannot be accomplished efficiently by focusing a lot of resources on control testing or doing scores/hundreds of point in time traditional "direct report" audits.

    IA departments need to do all their audits using the type of steps outlined in ISO 31000.  SOX 404 work should be done using a true risk assessment process that starts by taking steps to identify statistically the most significant risks to materially reliable financial statements, including the most statistically probable income/balance sheet/note disclosure errors by sector.

  1. Norman:

    I also think every IA department should complete an analysis of their organization's compliance risk fitness. I have posted a 100 point "Compliance Risk Fitness Quiz" on our website at This should be done under legal privilege as the results may illustrate significant flaws in the legal compliance framework.  

    Every company I have ever worked for breaks laws.  Sometimes these are "small laws" that have little or no consequence. Sometimes they are "flavor of the month" laws like FCPA, AML, and other federal laws that expose them now to the massive U.S. whistleblowing bounty system. 

    An organizations residual risk status in the legal compliance area is an area every board should understand.  In particular they need to know if the risk tolerance of senior management in the area of legal compliance is consistent with the board's risk tolerance.  Few auditors have completed a full analysis of their organization's compliance risk management processes. This needs to change.

Leave a Reply